NorduGrid Certification Authority

Introduction

The NorduGrid Certification Authority provides X.509 certificates for identification and authentication purposes for people associated with a research and/or academic institution in the Nordic countries specifically Denmark, Finland, Norway and Sweden. The NorduGrid Certification Authority is recognized and trusted by a growing list of other scientific Certification Authorities in the world. In particular it is a member of the EUGridPMA.

Certificates are needed to authenticate people and machines on the Grid. You can find useful information about X.509 certificates in our Certificate mini howto.

Obtaining a certificate

User and host certificates can be acquired by sending a certificate request to ca@nordugrid.org. A certificate request can be generated using the grid-cert-request command as specified below. Before requesting the certificate, you should make sure that the

   ca_NorduGrid-certrequest-config

package is installed on the cluster. Your system-administrator can confirm this if you are in doubt. If not, the package can be downloaded from the NorduGrid Downloads area. Note that this package is already included in the NorduGrid standalone client.

Now to generate a user-certificate-request, run the command

   grid-cert-request -int

and answer the questions as they appear. Please note that some of the fields are not supposed to be changed. Before sending the generated certificate request, verify that the subject of your certificate request has the form:

  /O=Grid/O=NorduGrid/OU=<your organization>/CN=<your name>/Email=<your email>

and does not contain non-ASCII characters (e.g., national accented letters in Unicode, non-latin letters etc). If these criteria are not satisfied, please rerun the grid-cert-request command. Note: you cannot use grid-cert-request by itself to generate a certificate request. You have to use the command above.

To generate a host-certificate-request, run:

grid-cert-request -host <FQDN of my host>

and to generate a ldap certificate request, run:

grid-cert-request -service ldap -host <FQDN of my host>

When generating a host- or ldap-certificate request, remember to NOT use the -int flag.

The certificate requests should be sent to the appropriate RA (see next section). If in doubt send the request to: ca@nordugrid.org.

Registration Authorities

In order to do identity checking you must send your certificate request to a valid registration authority (RA). Pick an appropriate RA from the this page. If in doubt, send the request directly to the CA: ca@nordugrid.org.

Certificate renewal

According to the NorduGrid CA policy, certificates cannot be renewed. You must submit a new certificate request as described above.

The NorduGrid CA public certificate

If you wish to interact with NorduGrid resources, you need to install the NorduGrid CAs public certificate and various other files. The easiest way to install these is to install the ca_NorduGrid certificate package.

Note that the NorduGrid standalone client already contains the NorduGrid CA public certificate as well as public certificates for some of the major scientific certificate authorities in the world.

To install it into your browser simply click here.

For a manual installation you need to get the files 1f0e8352.0 and 1f0e8352.signing_policy and follow the Globus installation instructions. An up to date revocation list can be found here 1f0e8352.r0.

If you have any problems email ca@nordugrid.org

Revocation

Sometimes user or host certificates needs to be invalidated before the end of their lifetime. This is called revocation and happens most often if the private key corresponding to the certificate has been compromised. Sites that accepts certificates signed by the NorduGrid CA should install an updated copy of the the list of revocated certificates -- the so-called CRL-file (1f0e8352.r0). The CRL file is maintained by the CA and a new version should periodically be downloaded and placed in /etc/grid-security/certificates.

If the CRL is installed, authentication will fail once it has expired and a new one needs to be downloaded and installed. Site-administrators can use the following command to check their NorduGrid CRL file:

openssl crl -in /etc/grid-security/certificates/1f0e8352.r0 -text

The default lifetime of the CRL is 30 days. To get automatic updates of the certificate revocation list, you can install the certificate-utility package provided by the NorduGrid project nordugrid-ca-utils

downloadable from the NorduGrid Downloads area. This package will make sure that the certificate revocation list is updated four times a day and the CRL files of the trusted CAs are placed in the default directory given above.

Certificate Policy and Certification Practice Statement

The NorduGrid X.509 CA Certificate Policy and Certification Practice Statement. The document is structured according to RFC 2527.

Links

Page last modified: 2013-07-12 16:06
Statistics